A plugin to modify Ruby on Rails' standard database-backed sessions behavior to be more intelligent.

Features

• Configurable session expiry time (eg: 2 hours from last page access)
• Optional hard limit regardless of last page access (eg: 24 hours)
• Optional ability to tie session to an IP or /24 subnet
• Optional auto-cleaning of expired sessions

Requirements

• A functional Rails app that uses the standard ActiveRecordStore session store (config.action_controller.session_store = :active_record_store)
• Ensure your sessions table has an `updated_at` column
• If using hard session limits, a `created_at` column

Limitations

• IP restrictions are not IPv6 enabled for subnets (although it should work for a full match)
• IP restrictions may or may not be sufficient or even work if a proxy is involved on the client side

Installation

Simply add this plugin into your rails app and configure if required.

To add to your rails app:

./script/plugin install -x http://svn.iprog.com/projects/rails/plugins/limited_sessions

(drop the -x if you don't use subversion in your project or don't want to manage plugins via svn:externals)

Configuration

There are several options that can be configured. They should be placed at the end of config/environment.rb (or the individual environment.rb files if that's preferred).

CGI::Session::ActiveRecordStore::Session.recent_activity_limit = 2.hours

This will expire sessions after the given period of time. This is managed on the server side and if the user closes their browser, the session will be gone. Default is 2 hours.

CGI::Session::ActiveRecordStore::Session.hard_session_limit = 24.hours

Sessions can also be forcefully expired without regard to the last activity. So if this is set to 24 hours and the above is two hours, the session will be terminated if a) the user has been inactive for more than two hours OR b) it has been more than 24 hours since the session began. Default is disabled (nil). Requires a `created_at` column in the session table.

CGI::Session::ActiveRecordStore::Session.auto_clean_sessions = 1000

Does a random test to see if the app should delete all expired sessions now. The odds are 1 in whatever value is provided here. 0 will disable this option. Default is 1000. A busy site may want 10000 or higher.

ActionController::CgiRequest.ip_restriction = :subnet

If set to :subnet, will compare the first three quads of the IPv4 address for a match. If set to :exact, will compare the full IP address (which should also work for IPv6). If no match, the session will be reset. Default is :none. Stores the IP match data in the session store as session[:ip].